From d541351bba3f874bcb9d51483679970981892c49 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Mon, 30 Mar 2015 22:51:09 -0400
Subject: [PATCH] Disable TLS 1.2 by default. Causes MPPE key mismatches with
 eapol_test.

Manual port of commit 8ac08a4 to v2.
---
 src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
index a958d04..5780045 100644
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -144,9 +144,14 @@ static CONF_PARSER module_config[] = {
 	{ "disable_tlsv1_1", PW_TYPE_BOOLEAN,
 	  offsetof(EAP_TLS_CONF, disable_tlsv1_1), NULL, NULL },
 #endif
+
+	/*
+	 * @fixme Disabled because using TLS1.2 seems to cause MPPE key issues with eapol_test
+	 * need to fix FreeRADIUS or wpa_supplicant.
+	 */
 #ifdef SSL_OP_NO_TLSv1_2
 	{ "disable_tlsv1_2", PW_TYPE_BOOLEAN,
-	  offsetof(EAP_TLS_CONF, disable_tlsv1_2), NULL, NULL },
+	  offsetof(EAP_TLS_CONF, disable_tlsv1_2), NULL, "yes" },
 #endif
 
 	{ "cache", PW_TYPE_SUBSECTION, 0, NULL, (const void *) cache_config },
@@ -1165,7 +1170,7 @@ static SSL_CTX *init_tls_ctx(EAP_TLS_CONF *conf)
 #endif
 
 #ifdef SSL_OP_NO_TICKET
-	ctx_options |= SSL_OP_NO_TICKET ;
+	ctx_options |= SSL_OP_NO_TICKET;
 #endif
 
 	/*
-- 
2.1.4